From Inksters Solicitors

Tag Archives: Data Protection Bill

Earlier this week the House of Lords and the House of Commons completed their game of ping pong with the Data Protection Bill and it completed its journey through the Parliamentary procedure; a journey which began when the Bill was introduced to the House of Lords by the Department for Culture, Media and Sport (DCMS) in September 2017. Almost eight months later, and after quite a bit of amendment, the Bill has now received Royal Assent to become the Data Protection Act 2018.

It is expected that the various pieces of secondary legislation which are required to bring the Act into force and make transitional provisions will be signed by a Minister in the DCMS later today or tomorrow to ensure that the Act comes into force on Friday.

The new Data Protection Act 2018 does a number of things: (1) it deals with those areas within the GDPR, such as exemptions, which have been left to Member States to deal with individually; (2) applies the GDPR (with appropriate medications) to areas which are not within the competence of the European Union; and (3) gives effect to the Law Enforcement Directive (which should have been in place by the 6th May 2018, but better late than never).

Data Protection law has become much more complex than was the case under the Data Protection Act 1998; it requires individuals to look in many more places to get a proper handle upon what the law requires (and that’s before we start to get decisions from the European and domestic courts).

There has been an indication by some campaign groups that there might be an early challenge to the immigration exemption within the Bill which will have an impact upon the information that data subjects can obtain from the Home Office under the subject access provisions within the GDPR. It will certainly be interesting to see whether such a challenge is in fact made and what the outcome of it is – and of course, we will cover any decision on that point should one be made by a court.

The Data Protection Bill proposes amendments to both the Freedom of Information (Scotland) Act 2002 (“FOISA”) as well as the Environmental Information (Scotland) Regulations 2004 (“the Scottish EIRs”). The Bill is still making its way through the UK Parliamentary procedure and is due to have its third reading later today (9 May 2018) and, subject to completing its passage through Parliament in time, will come into force on 25 May 2018. There are currently no amendments tabled in the Commons ahead of the Bill’s third reading that would affect the relevant provisions in the Bill, but it is important to bear in mind that until the Bill completes its journey through the various stages of the legislative process it can be amended – even if it passes the Commons today, it still has to go back to the House of Lords and could become locked in a game of ping-pong between to the Commons and the Lords during which time it could be further amended. However, it seems unlikely that there will be any changes to the relevant provisions within the Bill.

Schedule 18 to the Bill proposes the amendments that should be made to a wide range of primary and secondary legislation, both reserved and devolved. Paragraphs 88-90 of Schedule 18 (as it stands at the time of writing) contain the amendments that will be made to section 38 of FOISA; meanwhile paragraphs 292-294 of Schedule 18 contain the amendments that will be made to the Scottish EIRs.

The proposed amendments to FOISA and the Scottish EIRs look, on the face of it, quite significant. However, the addition of a lot of text to section 38 and regulation 11 does not necessarily mean that there will be a drastic change in practice on the ground. One thing that public authorities should be aware of is the proposed subsection (5A) to section 38 and the proposed paragraph (7) of regulation 11. These proposals will have the effect of re-instating the ‘legitimate interests’ condition for lawful processing where public authorities are considering the release of third party personal data under the FOISA or the Scottish EIRS.

In short, what this will mean is that public authorities will be able to consider legitimate interests in the same way as they do now under condition 6 of schedule 2 when dealing with FOI requests under either regime. Had it not been for these proposed provisions then the GDPR might well have had a significant impact upon the release of third party personal data under FOISA and the Scottish EIRs; it would have had the effect of removing the processing condition mostly relied upon when releasing third party personal data in response to FOI requests. It should be noted that Schedule 18 to the Data Protection Bill proposes re-instating the legitimate interests condition in respect of the release of third party personal data under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 (see, as at the time of writing, paragraphs 58 and 289 of Schedule 18 respectively).

There is very little difference between condition 6 of Schedule 2 to the Data Protection Act 1998 and the legitimate interests condition in Article 6 of the GDPR and in practical terms there is almost no difference at all. The only real area where there may be some difference is where the third party personal data is that of a child where Article 6(1)(f) of the GDPR instructs data controllers to have particular regard to the interests and fundamental rights and freedoms of data subjects who are children. In reality, the fact that a data subject is a child is likely to always have been a factor that has been taken into consideration when undertaking the balancing exercise required by Condition 6 of Schedule 2 and so even to this extent there is unlikely to be much in the way of change.

Of course, the provisions are untested and the Commissioner and courts could take a different view, but in my view we are likely to see the release of the same sorts of third party personal data under FOISA and the Scottish EIRs after the GDPR as we do now. Furthermore, there is the question as to whether the re-introduction of legitimate interests for FOI purposes is lawful in terms of EU law. Article 85 of the GDPR does require Member States to reconcile the right to protection of personal data under the GDPR with the right to freedom of expression and information. Whether the UK Government’s method of reconciling the two, by effectively disapplying the prohibition on public authorities relying upon legitimate interests in respect of the performance of their tasks, is permitted by EU law is something we might need to wait to discover (then again, the UK might not be in the EU long enough for that matter to be determined – but that’s a whole different issue).

In conclusion both requesters and public authorities should familiarise themselves with the amended section 38 and regulation 11. In practice not much, if anything, is likely to change when it comes to the releasing of third party personal data under FOI laws (both Scottish and UK regimes). However, public authorities and requesters should keep a close eye on the decisions of both the Scottish and UK Information Commissioners as well as the First-Tier Tribunal, Upper Tribunal, English and Welsh Court of Appeal, the Court of Session and the UK Supreme Court.

Part 3 of the Data Protection Bill will implement the provisions of the LED in the UK. Clauses 43 to 54 of the Bill (as the Bill presently stands) make provisions in respect of the rights of data subjects under Part 3. The rights within the Data Protection Bill are derived from the LED itself, which is very much based upon the rights contained within the General Data Protection Regulation. Chapter III of the LED sets out the rights which Member States must make available to data subjects where personal data is being processed for the law enforcement purposes.

Information to be made available, or given, to the data subjectArticle 13 of the LED makes certain provisions in relation to the information that controllers, who are processing personal data for the law enforcement purposes, should normally make available to data subjects. The provisions of Article 13 are contained within clause 44 of the Data Protection Bill (although, I make reference to the LED Articles it should be kpet in mind that the LED is a Directive rather than a Regulation and therefore does not have direct effect. It will be the domestic provisions upon which data subjects will rely upon in their dealings with the competent authorities, Information Commissioner and domestic courts rather than the LED’s Articles).

Controllers who are processing personal data for the law enforcement purposes are to make the following information available:

The identity and contact details of the controller;

The contact details of the data protection officer (where there is one);

The purposes for which the controller processes personal data;

The existence of the data subject’s rights to (i) subject access; (ii) rectification; (iii) erasure of personal data or the restriction of its use; and (iv) to make a complaint to the Information Commissioner;

information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period;

where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations)

where necessary, further information to enable the exercise of the data subject’s rights under Part 3, in particular where the personal data are collected without the knowledge of the data subject

Controllers can restrict the level of information that is provided to the data subject in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security (d) protect national security; or (e) protect the rights and freedoms of others.

This right to information will not be unfamiliar to anyone who is familiar with the provisions of the GDPR; however, it’s not surprising that the right is limited to a degree to take account of the nature of the personal data that falls to be dealt with under the LED and Part 3 of the Data Protection Bill.

Subject AccessThe right of subject access remains a fundamental aspect of data protection law emanating from the European Union. I have previously looked at the right of subject access within the General Data Protection Regulation on this blog. The right of such fundamental importance that it appears within LED; Articles 14 and 15 of the LED covers the right of subject access and this aspect of the LED is to be given effect to by clause 45 of the Data Protection Bill (as it currently stands)

If you are familiar with the right of subject access under the current Data Protection Act 1998 and/or the General Data Protection Regulation, then nothing much will surprise you vwithin Articles 14 and 15 and clause 45. The right of subject access within the LED and Part 3 of the Data Protection Bill provides the data subject the same rights as they have under the GDPR. It must be complied within one month and no fee can generally be charged for dealing with a Subject Access Request (SAR).

The controller can restrict the data subject’s right to subject access and these provisions are presently found within clause 45(4) of the Data Protection Bill. The controller can restrict the data subject’s right to the extent and for so long as it is a necessary and proportionate measure to: (a) avoid obstructing an official or legal inquiry, investigation or procedure; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;(c) protect public security; (d) protect national security; or (e) protect the rights and freedoms of others. In determining whether the restriction is a necessary and proportionate measure the controller must have regard to the fundamental rights and legitimate interests of the data subject.

Where a data subject’s right to subject access under Part 3 of the Data Protection Bill is to be restricted, the Bill (in its current form) requires the data subject to be given information relating to the restriction except to the extent that to provide such information it would undermine the purpose of the restriction. For example, if an individual who was being investigated by the Police for fraud made a Subject Access Request the police would be entitled to restrict the data subject’s rights insofar as it related to that investigation and that police would be able to do so without telling them that they have restricted their subject access rights.

The next part will look at the right to restriction of processing; the right to erasure and the data subject’s rights in relation to automated processing in the context of the LED and Part 3 of the Data Protection Bill. Remember, the LED is due to be implemented by 6th May 2018, which is almost 3 weeks before the date upon which the GDPR becomes applicable.

In light of the investigation currently being undertaken by the Information Commissioner into Facebook and Cambridge Analytica, I thought it was worthwhile considering some of the relevant provisions of the Data Protection Bill as it currently stands.

One of the issues that has arisen is the apparent inability of the Information Commissioner to obtain a warrant for entry and inspection of Cambridge Analytica’s offices; I’ve already looked at the Commissioner’s current powers to obtain such a warrant under the Data Protection Act 1998 generally. Schedule 15 to the Data Protection Bill deals with the Commissioner’s powers of entry and inspection; it sets up the same scheme that is currently in place in terms of Schedule 9 to the Data Protection Act 1998. There have been some comments about the need for the Information Commissioner to give 7 days’ written notice demanding entry before applying for a warrant; but as I noted in my blog post earlier this week, the judge can grant a warrant without those conditions having been met in certain defined circumstances. Whether this process causes confusion for the Information Commissioner’s staff or not is only something that the Commissioner herself can comment on at this stage; however, it is not unusual for the Commissioner to obtain warrants – indeed her office executed a warrant in Scotland only yesterday.

Another part of the Data Protection Bill which may be of relevance is the provisions therein concerning the consent of children in relation to Information Society Services. The General Data Protection Regulation sets the age of consent at 16, but allows Member States to reduce the age to no lower than 13. Clause 9 of the Data Protection Bill currently provides that in the United Kingdom the age will be reduced from 16 to 13. Information Society Services include, but are not limited to, social media websites such as Facebook.

There are provisions within the Data Protection Bill which would require the Information Commissioner to prepare and publish, after approval, a code on age-appropriate design. This code can be taken into account by the Commissioner and the courts and tribunals, but the Bill provides expressly that failure to comply with such a code “does not of itself make that person liable to legal proceedings in a court or tribunal” (Clause 126(1) of the Data Protection Bill).

The provisions governing the age at which a child can consent to the processing of their personal data for Information Society Services has caused some concern during the Bill’s passage through parliament; it is ressonable to assume that the issue will come up again once the Bill reaches its final stage of the Parliamentary process in the House of Commons in light of developments over the past week.

Another clause in the Data Protection Bill which has caused some concern in light of the Cambridge Analytica revelations is the provision in Clause 6(e). What this provides for is that an “activity that supports or promotes democratic engagement” is to be considered “processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority” for the purposes of Article 6(1)(e) of the GDPR. The Information Commissioner has raised concerns that this would legitimise the activities of Cambridge Analytica. This was inserted, as a Government amendment, during the Public Bill committee stage of the Bill’s passage through the House of Commons.

In moving the amendment, the Minister explained that “term has been deliberately chosen with the intention of covering a range of activities carried out with a view to encouraging the general public to get involved in the exercise of their democratic rights”. It may be that between now and the Bill being finally agreed to by the House of Commons that this provision is tightened up somewhat to ensure that activities like those carried out by Cambridge Analytica do not fall within the ambit of that clause.

I would tend to agree with the Commissioner’s assessment on the impact of clause 6(e) in relation to the sorts of activities we are concerned with in respect of the Cambridge Analytica and Facebook investigations. The clause is extremely wide and while it is subject to a necessity test, it is entirely possible that these activities could fall within the ambit of clause 6(e). The Government may well be wise to revisit clause 6(e) and see if it can be tightened up in any way to ensure that its scope is narrowed.

As can be seen, there are a number of issues concerning the Data Protection Bill (of which the above are only some) arising out of the Cambridge Analytical and Facebook investigations; it will be necessary to wait and see how, if at all, the House of Commons reacts and whether there are any changes to the Bill as a consequence.

The Data Protection Bill has been winding its way through the legislative process since it was first introduced to the House of Lords in September 2017. Since then it has completed its passage through the House of Lords and is now being scrutinised by MPs in the House of Commons, having received its second Reading last week. I made some initial observations on the Bill shortly after it was first published and thought that it was about time that I revisited the general subject of the Bill.

The Bill has now reached the committee stage in the House of Commons and is being considered by a Public Bills Committee, the first meetings of which took place yesterday. You can read the first sitting, which took place yesterday the morning, in Hansard, meanwhile the second sitting, which took place yesterday afternoon, can be found in Hansard here.

There was a debate yesterday morning on a proposed amendment (‘new clause 12’) which would insert a new clause into the Bill incorporating Article 8 of the Charter of Fundamental Rights of the European Union. Article 8 of the Charter makes specific provision for the protection of personal data; the amendment was tabled by MPs from opposition parties and was resisted by the Government. The source of the government’s concern, as set out by the Minister of State yesterday, is that new clause 12 would, in the government’s view, create “a new and free-standing right”. The Minister went on to say that “[t]he new right in new clause 12 would create confusion if it had to be interpreted by a court.” This was contested by Liam Byrne MP, who moved the amendment. Mr Byrne noted that this was a refined version of an amendment that was unsuccessfully moved in the House of Lords. Mr Byrne described the suggestion that new clause 12 was creating a new and unfettered right as being “nonsense”. The amendment, while debated yesterday, was not put to a vote; decisions on whether to insert new clauses are not due to be taken until towards the end of the Committee’s consideration of the Bill. We will need to therefore wait to learn whether it is ultimately included in the Bill or not.

Some amendments were considered and agreed to yesterday, while some others were considered and not agreed to. In Clause 3 of the Bill, the definition of ‘processing’ has been amended to remove reference to ‘personal data’ and to replace it with ‘information’. This means that the definition of processing in the Data Protection Bill now reads: “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as”. This means that the definition of processing in Clause 3 of the Data Protection Bill differs from the definition within the GDPR.

The explanation proffered by the Minister in support of these amendments was that they were “designed to improve clarity and consistency of language.” The Minister argued that “the amendments ensure consistency with terminology in other legislation.” She also gave her view that the amendments have “no material impact on the use of the term “processing” in parts 2 to 7 of the Bill”.

Clause 7 of the Bill (which deals with the meaning of ‘public authority’ and ‘public body’) has also been amended so as to provide that Ministers, exercising their delegated powers to designate and undesignated (for the purposes of data protection law) public authorities and public bodies, can do so not simply by identifying specific bodies or organisations, but also by way of description. The changes effectively mean that the provisions in the Data Protection Bill work in the same way as the similar provisions do within the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002.

The controversial immigration exemption in paragraph 4 of Schedule 2 to the Data protection Bill saw a great deal of debate in the afternoon’s sitting. An amendment to remove the immigration exemption entirely from the Bill was moved and a division took place. The amendment to remove the exemption from the Bill was defeated by 10 votes to 9 and therefore the exemption remains in the Bill. The split was among party lines with the Government’s MPs successfully voting down the amendment with all MPs from opposition parties voting in favour of it.

It would not be possible to discuss everything that went on during the course of the committee’s two sittings yesterday, but I have tried to pick out some of the key aspects from yesterday’s proceedings. The amendment to the definition of processing seems to me to be rather odd and quite frankly unfathomable. Personal data is a well understood term within the field of data protection and privacy law. How the courts and Commissioner will interpret “information” is something that we will need to wait and see; if the amendment does in fact make no material change, then it will have been a completely pointless amendment.

I don’t see the controversy of the immigration amendment going away anytime soon. The Government is satisfied that the exemption strikes the right balance and is one that is permissible in terms of the GDPR. Campaign groups in opposition to the amendment say that it goes too far and, in any event, is unlawful as it is not permitted by the GDPR. It will certainly be interesting to see where matters go in that regard.

The attempt to replicate Article 8 of the EU Charter is an interesting proposal; one of the Government’s red lines in relation to the EU withdrawal process is that the EU Charter will cease to apply in the United Kingdom, how the effective inclusion of one article of the Charter would go down with certain members of Parliament is something that remains to be seen. Whether its inclusion will assist with the issue of ‘adequacy’ following the United Kingdom’s withdrawal from the European Union is debatable (for what it is worth, my initial reaction is it’s unlikely that it would have any bearing at all upon the question of adequacy).

The Committee’s consideration of the Bill is due to continue tomorrow (Thursday 15th March 2018) with sittings starting at 11:30am and again at 2pm. This is a large and complex Bill and the task of undertaking a line by line scrutiny of it is no easy task, especially in a timetable that will see this line by line scrutiny come to an end on 27th March 2018.

Among all of the hype surrounding the General Data Protection Regulation (GDPR) some other aspects of information law are being overlooked; I have alreadywritten about the Privacy and Electronic Communications (EC Directive) Regulations 2003 and how they are forgotten about. The GDPR is not the only new piece of EU law which is due to take effect in May and which will impactdata protection and privacy lawin the United Kingdom. The processing of personal data by data controllers for the purpose of law enforcement falls outside of the scope of the GDPR; instead this is dealt with by the Law Enforcement Directive (LED). As the LED a Directive rather than a Regulation, the LED does not have direct effect and therefore requires to be transposed into Member States’ domestic law. This is being achieved in the UK through Part 3 the Data Protection Bill.

The LED is perhaps not as visible as the GDPR because of its much more limited scope. However, this blog aims to cover all information law bases and it would be remiss of me not to write something on it at least. The LED, and therefore the provisions of Part 3 of the Data Protection Bill, applies to what have been termed as “competent authorities” for the purposes of “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”; these purposes are collectively known as the “law enforcement purposes”.

So, who needs to bother about the LED? Obviously, competent authorities have to bother about it because it governs how they process personal data for the law enforcement purposes; however, they are not the only ones. Data Subjects should also be concerned about the LED as it governs how their personal data is processed by these competent authorities and sets out what rights they have in relation to personal data processed by them for law enforcement purposes. The competent authorities are mostly set out in Schedule 7 to the Data Protection Bill; however, clause 30(1)(b) of the Data Protection Bill provides that “any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes” is also a competent authority. The most obvious competent authority is the police; however, there are quite a few others listed within Schedule 7 including Revenue Scotland, the Department for Work and Pensions, the Police Investigations and Review Commissioner and HMRC. Of course, both the Information Commissioner and Scottish Information Commissioner process personal data for the law enforcement purposes and therefore Part 3 of the Data Protection Bill would apply to them when they’re processing personal data in the capacity. In terms of 30(1)(b) competent authorities, the most obvious example would be local authorities who are responsible for things such as Trading Standards provision and also the investigation of fraud concerning benefits administered by them.

One thing that should be noted is that the security and intelligence services (The Security Service, Secret Intelligence Service and GCHQ) are not covered by the LED. National Security falls outside of the scope of EU law and therefore the European Union has no competence to regulate these areas. Therefore, although the Security Services process personal data for law enforcement purposes, the LED does not apply to them. The Data Protection Bill does make provision for the processing of personal data by the security and intelligence agencies; this can be found in Part 4 of the Data Protection Bill (and falls outside of the scope of this blog post).

Chapter 1 of Part 3 of the Data Protection Bill provides the key definitions which require to be used when applying Part 3. The definitions are broadly the same as those to be found in the GDPR with relevant modifications being made. Therefore if you are familiar with data protection law then these definitions will not be too alien to you.

Chapter 2 of Part 3 of the Data Protection Bill sets out the six principles to be complied with when processing personal data under Part 3. Meanwhile, Chapter 3 sets out data subjects’ rights; including the right to subject access, the right to rectification and the right to erasure or restriction of processing.

The rights of data subjects under part 3 of the Data Protection Bill will be the subject of a separate blog post later in the month; however, it is suffice to say that they have a more limited scope than under the GDPR because of the nature of the processing being dealt with.

There is one final part of the Data Protection Bill to make mention of in this blog post and that is Schedule 8 to the Data Protection Bill. This Schedule sets out the conditions which must be met before a competent authority can carry out sensitive processing of personal data under Part 3.

The LED is supposed to be transposed into Member States’ domestic law by 6th May 2018; it remains to be seen whether the Data Protection Bill will complete its passage through Parliament and receive Royal Assent in time to allow Part 3 to be commenced by then.

If you require any advice or assistance in connection with the provisions of the Law Enforcement Directive or any other information law concern, please contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

2018 is now upon us and this is a big year in the field of Information Law, the General Data Protection Regulation will at last become applicable in the United Kingdom. If you are a data controller or a data processor, your preparations for the GDPR should be well under way; however, if you have not yet started to prepare for these regulations then it is not yet too late. The lesser known brother of the GDPR also kicks in this year, the Law Enforcement Directive, which governs the processing of personal data by law enforcement agencies.

However, before I get stuck into what is coming this year in the field of Information law, I want to take a moment to look back at some of the things that happened in 2017. At the tail end of 2017 the High Court in England issued its anticipated judgment in the case of Various Claimants v WM Morrisons Supermarket PLC [2017] EWHC 3113 (QB). This represented a significant development in the data protection field and opens up a much wider range of circumstances in which data subjects can sue a data controller under Section 13 of the Data Protection Act 1998.

In October 2017, the Irish High Court made a reference to the Court of Justice of the European Union at the request of the Irish Data Protection Commissioner seeking a preliminary ruling on “Privacy Shield”, the successor to the Safe Harbour rules which had previously been held to be unlawful by the European Court.

Also in September 2017, the UK Government published its Data Protection Bill which will replace the Data Protection Act 1998, extends GDPR standards to areas not within the competence of the European Union and implements the Law Enforcement Directive, among other things.

Now looking ahead to 2018, it is possible that we might see a decision from the English Court of Appeal in the Morrisons case referred to above, the judge having granted permission to Morrisons to appeal his findings in relation to vicarious liability. We may also see claims for compensation being made based upon the Morrisons decision.

It is also possible that we will see the Scottish Parliament’s Public Audit and Post-Legislative scrutiny Committee begin to undertake a post-legislative inquiry into the operation of the Freedom of Information (Scotland) Act 2002 (or announce that such an inquiry will take place in due course). If such an inquiry does take place, it will be the first time that there will have been a complete review of the Scottish FOI Act and how it is operating.

By the end of 2018 we should also hopefully have a much better idea as to what the UK’s relationship with the European Union will be after it leaves, and in particular what impact this will have on data protection and privacy law in Scotland and the rest of the UK.

There will no doubt be a raft of new court decisions in relation to both Privacy/Data Protection and Freedom of Information over the course of the next 12 months and I will attempt to address the most important and unusual decisions here on the Information Law Blog from Inksters Solicitors.

Yesterday, the Scottish Government began a consultation on legislation to formally designate Registered Social Landlords (RSLs) as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002 (“FOISA”). The draft Order being consulted on proposes a commencement date of 1st April 2019.

This is not an unexpected development in the field of information law. In December 2016 the Scottish Government consulted on the principle of designating RSLs as public authorities for the purposes of FOISA. It has been widely anticipated that RSLs would be designated as a public authority for the purposes of FOISA.

A designation as a public authority for the purposes of FOISA will have ramifications for RSLs beyond the obvious need to comply with FOISA and being under the regulatory oversight of the Scottish Information Commissioner. It will also have implications for RSLs in respect of how they implement the General Data Protection Regulation (“GDPR”), which becomes applicable from 25th May 2018.

There are a number of aspects of the GDPR which are directed towards public bodies. The Data Protection Bill currently before the UK Parliament defines what a public body is for the purposes of the GDPR. Clause 6 of the Bill provides that a body which is designated as a Scottish public authority for the purposes of the FOISA is a public body. This will mean that RSLs will have to appoint a Data Protection Officer; even although many of them would not have had to before this decision was taken by the Scottish Government.

It also has implications for the grounds upon which they can legitimately process personal data. Processing of personal data for the purpose of pursuing a legitimate interest of the controller is permissible under the GDPR. However, the GDPR goes on to provide that public bodies cannot rely upon legitimate interest as a ground of processing in performance of their tasks. Therefore, any RSL that has been preparing for the GDPR on the basis that they will be able to process personal data on the legitimate interests ground will have to re-evaluate its processing of personal data ahead of its designation as a public authority for the purposes of FOISA.

It is worthy of note, simply for interest, that the Data Protection Bill proposes giving the Secretary of State the power to make regulations which state that a public body is not in fact a public body for the purposes of the GDPR. However, there has been no indication that the Secretary of State intends on making use of this power or how the power is intended to be used; therefore, it is probably advisable not to work on the basis that a RSLs will be declared not to be public bodies for the purposes of the GDPR.

Another possible implication for RSLs is in relation to the Environmental Information (Scotland) Regulations 2004 (“the EIRs”). The Scottish Information Commissioner has already previously decided that RSLs are public authorities for the purpose of these regulations, which govern access to environmental information. The Housing (Amendment) (Scotland) Bill may have implications for the basis upon which the Commissioner concluded that RSLs were a public authority for the purposes of the EIRs. If it does, there may be a gap where RSLs are not public authorities for the purposes of EIRs. Once they become designated as a public authority for the purposes of FOISA, they will automatically become a public authority for the purposes of the EIRs as well.

Section 13 of the Data Protection Act 1998 makes provision for a data subject to raise court proceedings for payment of damages where there has been a breach of the Data Protection Act 1998 which has caused them damage and/or distress. The provisions in Section 13 have not been used as often as they might otherwise have; this may have been partly down to the way in which the legislation was initially drafted, but that was rectified (in England, at least) by the English Court of Appeal in Google Inc v Vidal-Hall and ors [2015] EWCA Civ 311.

The General Data Protection Regulation, which is due to become applicable in the UK from 25th May 2018, makes provision for data subjects to obtain compensation from controllers and processors in Article 82. The right is for “any person who has suffered material or non-material damage as a result of an infringement of [the GDPR]” to be compensated. Clause 159(1) of the Data Protection Bill (which is still in the early stages of the parliamentary process), provides that this “includes financial loss, distress and other adverse effects.”

A Data Subject is not limited to claiming compensation from the controller. The GDPR provides that a processor will “be liable for the damage caused by processing only where it has not complied with the obligations…specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”

Article 82(3) of the GDPR introduces a defence to such a claim for compensation, but it is an exceptionally high test. No liability arises where the controller or processor “proves that it is not in any way responsible for the event giving rise to the damage.” The burden of proof falls on the controller or process and liability attaches even where the processor or controller is responsible for the event causing the damage in the most minor of ways.

The terms of Article 82(3) create joint and several liability for controllers and processors. In a situation where multiple controllers and/or processors are all partially responsible for the event giving rise to the damage; the data subject could elect to sue any one of them (or indeed, all of them). Where the data subject elects to sue just one controller/processor who is responsible, controller/processor is entitled to recover from the other controllers/processors “that part of the compensation corresponding to their part of responsibility for the damage.”

Where the data subject elects to sue more than one controller/processor then Recital 146 of the GDPR explains that, in accordance with Member State law, compensation may be apportioned by the court according to the responsibility of each controller or processor for the damage caused by the processing.

The GDPR does not stipulate any maximum amount of compensation that can be awarded to data subjects; however, Recital 146 of the GDPR explains that data subjects should receive full and effective compensation for the damage they have suffered. Quite what “full and effective compensation” mean is something that will be worked out as the courts grapple with the new provisions. There have been almost no published decisions from the Scottish courts in respect of claims for compensation under Section 13 of the Data Protection Act 1998, but where there have been decisions the compensation awarded has not been particularly high. For example, Sheriff Ross awarded the each of the Pursuers £8,364 in Woolley v Akbar [2017] SC Edin 7. That case concerned the use of CCTV at private dwellings and the compensation figure was calculated on a nominal rate of £10 per day that the Defender was in breach of the Act.

The GDPR only applies to processing of personal data in areas which are within the competence of the European Union; however, the Data Protection Bill extends the scope of the GDPR to areas beyond the competence of the European Union. Clause 160 of the Bill provides for compensation where it cannot be claimed under Article 82 and the clause mirrors the terms of Article 82.

In Scotland both the Sheriff Court and the Court of Session will have jurisdiction to hear claims under Article 82 of the GDPR and Clause 160 of the Data Protection Bill (as is the case with claims under Section 13 of the Data Protection Act 1998). In practice it is likely that the vast majority of claims will be heard in the Sheriff Court given that it is unlikely that any claim will exceed £100,000 and will therefore be within the privitive jurisdiction of the Sheriff Court. However, with the advent of Group Proceedings (see Section 17 of the Civil Litigation (Expenses and Group Proceedings) (Scotland) Bill [pdf]) it is possible the Article 82 claims will end up the Court of Session as the Bill only provides for a group proceedings procedure in the Court of Session.

Those who process personal data should be aware that the right of a data subject to claim compensation, whether that be under the Data Protection Act 1998, the GDPR or the Data Protection Bill (when it becomes an Act), arising out of a data protection breach is in addition to any enforcement action that the Information Commissioner takes, such as the issuing of an administrative fine.

If you would like to pursue a claim for compensation for a data breach, or if you require to defend such a claim; or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123. Alternatively, you can send him an E-mail.

The right of subject access has been a cornerstone of the Data Protection Act 1998 (“the DPA”). This is the right that allows individual data subjects to, among other things, receive confirmation from a data controller whether or not the controller is processing their personal data and to obtain copies of that data which is being processed by the data controller. Under the DPA, data controllers have 40 calendar days in which to respond to a subject access requests and can charge a fee which does not exceed the prescribed limit (which is £10 for most data controllers).

The critical importance of the right of subject access means there is no surprise that the General Data Protection Regulation (“GDPR”), which becomes applicable from 25 May 2018, continues to have in place a right of subject access. The right of subject access is to be found in Article 15 of the GDPR and has been incorporated into Clause 43 of the Data Protection Bill, published by the government earlier this month. There have been some changes to that right which are designed to make it much more effective for data subjects. This blog post explores some of the key changes to the right of subject access; however, it is by no means comprehensive.

The first key change to note is the length of time that data controllers will have to comply with a subject access request; this is being reduced from the current 40 calendar days to 30. Where the data controller has “reasonable doubts as to the identity of an individual making” as subject access request, then they may request the provision of additional information to enable the controller to confirm the identity. Where such a request is made, Clause 52 of the Data Protection Bill provides that the 30 day period does not begin to be calculated until the day on which that information is provided to the data contoller. It should be noted though that this does not provide a route to delay the fulfilling of a subject access request; the data controller must have doubts as to the identity of the requester and those doubts must be reasonable.

In terms of fees, there is no provision within the GDPR for a data controller to request a fee for making a subject access request; however, Article 15(3) of the GDPR does permit data controllers to charge a reasonable fee based on administrative costs for providing copies of the personal data being processed beyond the first copy (i.e. the first copy is free). For subsequent copies, what will be considered a “reasonable fee” remains to be seen. The Data Protection Bill has supplemented this provision and allows the Secretary of State to set a cap on such fees. There has not yet been any indication as to whether (a) the Secretary of State will set such a cap; and (b) if so, what that cap will be.

The administrative fines provisions of the GDPR apply to the right of subject access and a failure to comply with the requirements of Article 15 can attract a maximum administrative fine of the greater of €20m or 4% of global turnover.

Data Controllers have sometimes interpreted the right of subject access under Section 7 of DPA as only providing a right to receive copies of the personal data processed, but that is not the case; and it continues to be the case under the GDPR. Data Controllers should therefore familiarise themselves with the full suite of rights that a data subject has under the heading of subject access; these can be found in Clause 43(2) of the Data Protection Bill or in Article 15 of the GDPR.

There are a number of circumstances in which a data controller can restrict a data subject’s right of subject access. These are set out in Clause 43(4) of the Data Protection Bill and are:

to avoid obstructing an official or legal inquiry, investigation or procedure;

avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

to protect public security;

to protect national security

However, where a data controller has restricted the data subject’s right to subject access, the data contoller is required to provide certain information to the data subject in writing and without undue delay. That information is:

that the rights of the data subject have been restricted;

the reasons for the restriction;

the data subject’s right to make a request to the Information Commissioner to check that the processing is compliant;

the data subject’s right to make a complaint to the Information commissioner; and

the data subject’s rights to make an application to the court (in Scotland, the Court of Session or the Sheriff Court).

One additional point of note about subject access requests is that the GDPR, in recital 63 and unlike the Data Protection Directive, upon which the Data Protection Act 1998 is based, states that the purpose of the right to subject access is to enable the data subject “to be aware of, and verify, the lawfulness of the processing.” This may mean that Subject Access Requests may be rejected where they are submitted for other reasons. Whether the courts will consider Recital 63 as exhaustive as to the purposes for which an individual may exercise their rights of subject access or not remains to be seen.

There is a lot to the right of subject access and there are some key changes which will come into effect on 25 May 2018. This is a cornerstone of data protection law and data controllers should be attaching substantial weight to compliance as a consequence.

If you would like any advice and assistance on subject access requests, either under the GDPR or the Data Protection Act 1998, or any other Information Law matter; then contact Alistair Sloan on 0345 450 0123. Alternatively, you can send him an E-mail.